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CLAIMS: 

s,l . A method for allowing a server node in a virtual private network to have a single 
tuhnel definition and a single security policy for a plurality of tunnels associated with a 
groupviiame comprising the steps of 

oonfiguring a group database in said server node, wherein said group database in 
said server V)de comprises said group name and a list of members associated with said 
group name; a^ 

configurink a rules database in said server node, wherein said rules database 
associates said group n^e with a particular security policy, wherein said server node has 
a single security policy fb^ each of the plurality of tunnels associated with said group 
name. 



2. The method as recited in claim 1 further comprising the step of 

configuring a tunnel defmition database in said server node, wherein a remote ID 
in said tunnel defmition is defined as said^^roup name, wherein said server node has a 
single tunnel defmition for each of the plurari1;y of tunnels associated with said group 
name. 



3. The method as recited in claim 2 further comprising the step of 

activating a particular tunnel of said plurality of tfcmnels associated with said 
group name, wherein said particular tunnel is associated with aparticular member of said 
group name. 



4. 



The method as recited in claim 3 further comprising the step of 
transferring data across said particular tunnel. 
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The method as recited in claim 1, wherein said list of members associated with 
saiM group name comprise an ID type and an ID of each member associated with said 
groups name. 

6. The method as recited in claim 5, wherein said ID type is an Internet Key 
Exchange (KE) defmed ID type, wherein said list of members is a non-contiguous hst 
of IKE defmedMD types. 

7. The methodVs recited in claim 5, wherein said ID is a login ED. 

8. The method as refcited in claim 5, wherein said ID is a specified name. 

9. The method as recitedun claim 2, wherein configuring said tunnel defmition 
database in said server node comprises establishing said server node and a client node 
as the two end points of a particular^unnel. 

10. The method as recited in claim 9,Vherein said tunnel defmition database in said 
server node is configured by a user enteringv^ local ID, a local ID type, said remote ID 
and a remote ID type through a GUI. 



1 1 . The method as recited in claim 9, wherein sam tunnel defmition database in said 
server node is configured by a user entering a local ID,\ local ID type, said remote ED 
and a remote ID type through a command line interface. 



12. The method as recited in claim 1, wherein said group database in said server node 
comprises said group name and an ED type of each member of said\group name and an 
ED of each member of said group name. 
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The method as recited in claim 12, wherein configuring said group database in 
saioNserver node is accomplished by entering said group name, said ID type of each 
member of said group name and said ID of each member of said group name through a 



14. The memod as recited in claim 12, wherein configuring said group database in 
said server node ik accomplished by entering said group name, said ID type of each 
member of said groups name and said ED of each member of said group name through a 
command line interface>v 

15. The method as recite<i in claim 12, wherein configuring said group database in 
said server node is accomplished by entering said group name, said ED type of each 
member of said group name and skid ID of each member of said group name through 
configuration files. \ 

16. The method as recited in claim 1, wh^ein said rules database in said server node 
comprises said group name, a group name ID type and a security policy pointer. 



1 7 . The method as recited in claim 1 6, wherein configuring said rules database in said 
server node is accomplished by entering said group name, said group name ID type and 
said security policy pointer through a GUI. \ 

1 8 . The method as recited in claim 1 6, wherein configuring said rules database in said 
server node is accomplished by entering said group name, said group name ID type and 
said security policy pointer through a command line interface. \ 



19. The method as recited in claim 3, wherein activating said particular tunnel 
comprises the steps of \ 
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3 \ sending a security policy stored in a policy database of a client node by said client 

4 node ISO said server node; 

5 sending a security policy stored in a policy database of said server node by said 

6 server noofi to said client node if said security policy stored in said policy database of 

7 said server nbde matches said security policy stored in said policy database of said client 

8 node; \ 

I sending aN&st nonce by said client node to said server node; 

jlO 1/ sending a sefcond nonce by said server node to said client node; 

rr sending a first II) by said client node to said server node; and 

12 sending a secondSID by said server node to said client node. 

1 1% 20. The method as recited, in claim 19, wherein said first and second nonce are used 

2 ^ jj to generate key material for saici server and client node, respectively. 

1 21. The method as recited in claim 1 9, wherein said policy database in said client and 

2 ^ ^ server node are configured by entering^said security policy through a GUI at said client 

3 f 3 and server node. \ 

1 ]2 22. The method as recited in claim 1 9, whetein said policy database in said client and 

2 C3 server node are configured by entering said security policy through a command line 

3 interface at said client and server node. \ 

1 23 . The method as recited in claim 1 9, wherein said m^t ID is an ID of said particular 

2 member of said group name, \ 

1 24. The method as recited in claim 3, wherein activating\^said particular tunnel 

2 comprises the steps of: \ 



-20- 



AUS9-2000-0479-US 1 PATENT 

sending a security policy stored in a policy database of a client node by said client 
node to said server node; 

sendin^^security policy stored in a policy database of said server node by said 
server node to said client node if said security policy stored in said policy database of 
said server node agrees oiuhe.^^e set of protection suites at any point in time with said 
security policy stored in said policyv^atabase of said client node; 

sending a first nonce by said client^node to said server node; 
sending a second nonce by said server no^deto said client node; 
sending a first ID by said client node to said server node; and 
sending a second ID by said server node to said client node. 
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1 \25. A network system comprising: 

2 \y a plurality of tunnels associated with a group name, wherein each of said plurality 

3 of tiWels associated with said group name comprises a plurality of nodes, wherein each 

4 of said\lurality of nodes comprises a communication adapter to interconnect with said 

5 virtual private network, wherein one of said plurality of nodes is a server node, wherein 

6 one of said piurality of nodes is a client node, wherein said server node comprises: 

] a^roup database, wherein said group database comprises said group name 

8 i and a list of membete associated with said group name; and 

^3/^^ a rules oatabase, wherein said rules database associates said group name 

1 0 with a particular security policy, wherein said server node has a single security policy for 

11 "5 each of the plurality of tunnels associated with said group name, 

1 '"''J 26. The network system as rented in claim 25, wherein said server node further 

2f^ comprises: \ 

3 ^ - a tunnel definition database, whWein a remote ID in said tunnel defmition is 

4 C3 defmed as said group name, wherein said seWer node has a single tunnel defmition for 

5 f ^ each of the plurality of tunnels associated with said group name. 

1 Q 27. The network system as recited in claim 26, vmerein a particular tunnel of said 

2 plurality of tunnels associated with said group name is acti\ated, wherein said particular 

3 tunnel is associated with a particular member of said group name. 

1 28. The network system as recited in claim 25, where^^id list of members 

2 associated with said group name comprise an ID type and an ID of each member 

3 associated with said group name. \ 



AUS9-2000-0479-US1 PATENT 

1 29v The network system as recited in claim 28, wherein said ED type is an Internet 

2 Key Exchange (IKE) defined ID type, wherein said list of members is a non-contiguous 

3 list of IKE defined ED types. 

1 30. The \\etwork system as recited in claim 28, wherein said ID is a login ID. 

1 31. The network system as recited in claim 28, wherein said ID is a specified name. 

^ 32. The network\^tem as recited in claim 26, wherein said tunnel defmition 

2 7/ database in said server node is configured by a user entering a local ED, a local ID type, 
^ said remote ED and a remoteJD type through a GUI. 

1 4|] 33. The network system as recited in claim 26, wherein said tunnel defmition 

2 - J database in said server node is config^ared by a user entering a local ID, a local ID type, 

3 said remote ED and a remote ED type tl^ough a command line interface. 

1 □ 34. The network system as recited in claim 25, wherein said group database in said 
server node comprises said group name and amJD type of each member of said group 

3 -J name and an ID of each member of said group name. 

1 35. The network system as recited in claim 34, whet;ein said group database in said 

2 server node is configured by a user entering said groupXname, said ED type of each 

3 member of said group name and said ID of each member oXaid group name through a 

4 GUI. \ 

1 36. The network system as recited in claim 34, wherein said group database in said 

2 server node is configured by a user entering said group name, saicTID type of each 
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3 mtember of said group name and said ID of each member of said group name through a 

4 conWand line interface. 

1 37. ^e network system as recited in claim 34, wherein said group database in said 

2 server nod\ is configured by a user entering said group name, said ID type of each 

3 member of said group name and said ID of each member of said group name through 

4 configuration fims . 

^ ( \ 

1 Jr 38. The network system as recited in claim 25, wherein said rules database in said 

Z server node comprises\aid group name, a group hame ID type and a security policy 

3 pointer. \ 

1 39. The network system ass. recited in claim 38, wherein said rules database is 

2 J configured by a user entering said group name, said group name ED type and said security 

3 f y policy pointer through a GUI. \ 

1 C3 40. The network system as recited in claim 39, wherein said rules database is 

2 J 3 configured by a user entering said group name^said group name ID type and said security 

3 '^-t policy pointer through a command line interface. 

1 41. The network system as recited in claim 27^ wherein activating said particular 

2 tunnel comprises the steps of \ 

3 sending a security policy stored in a policy database of said client node by said 

4 client node to said server node; \ 

5 sending a security policy stored in a policy database of said server node by said 

6 server node to said client node if said security policy stored inlaid policy database of 

7 said server node matches said security policy stored in said policy\atabase of said client 

8 node; \ 
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sending a first nonce by said client node to said server node; 
sekding a second nonce by said server node to said client node; 
senokg a first ID by said client node to said server node; and 
sending, a second ID by said server node to said client node. 

42. The networe system as recited in claim 41, wherein said first and second nonce 
are used to generate key material for said server and client node, respectively. 

43. The network system as recited in claim 41, wherein said policy database in said 
cUent and server node are configured by entering said security policy through a GUI at 
said client and server node. 

44. The network system as recited in claim 41, wherein said policy database in said 
client and server node are configured uy entering said security policy through a command 
line interface at said client and server node. 

45. The network system as recited in claihj 41, wherein said first ID is an ED of said 
particular member of said group name. 



46. The network system as recited in claim 27\^wherein activating said particular 
tunnel comprises the steps of 

sending a security pohcy stored in a policy datatjase of said client node by said 
client node to said server node; 

sendmg a security policy stored in a policy database ^ said server node by said 
server node to said client node if said security policy stored invsaid policy database of 
said server node agrees on the same set of protection suites at any f^oint in time with said 
security policy stored in said policy database of said client node; 

sending a first nonce by said client node to said server node; 



sending a first ID by said c 
sending a second ID by said server 
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4Y A computer program product having a computer readable medium having 
computer program logic recorded thereon for allowing a server node in a virtual private 
networic to have a single tuimel definition and a single security policy for a plurality of 
tunnels associated with a group name, comprising: 

programming operable for configuring a group database in said server node, 
wherein said group database in said server node comprises said group name and a list of 
members assocMed with said group name; and 

programming operable for configuring a rules database in said server node, 
wherein said rules database associates said group name with a particular security policy, 
wherein said server nodeJias a single security policy for each of the plurality of tunnels 
associated with said group\ame. 

48, The computer program ptoduct as recited in claim 47 further comprises: 
programming operable for configuring a tunnel definition database in said server 

node, wherein a remote ID in said mnnel defmition is defined as said group name, 
wherein said server node has a single tund^l defmition for each of the plurality of tunnels 
associated with said group name. 

49. The computer program product as recited in claim 48 further comprises: 

programming operable for activating a particular tunnel of said plurality of 

\ 

tunnels associated with said group name, wherein said particular tunnel is associated with 
a particular member of said group name. 



50. The computer program product as recited in claim 49 further comprises: 
programming operable for transferring data across said particular tunnel. 
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\\. The computer program product as recited in claim 47, wherein said list of 
m^bers associated with said group name comprise an ID type and an ID of each 
memoer associated with said group name. 



52. The^s;pmputer program product as recited in claim 5 1 , wherein said ID type is an 
Internet Key Exchange (IKE) defmed ED type, wherein said list of members is a 
non-contiguous IM of IKE defined ID types. 



1 

2 



53 . The computer pi;pgram product as recited in claim 5 1 , wherein said ID is a login 
ID. 
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54. The computer programNproduct as recited in claim 51, wherein said ID is a 
specified name. 

55. The computer program product^s recited in claim 48, wherein configuring said 
tunnel definition database in said server node comprises establishing said server node and 
a client node as the two end points of a particular tunnel. 

56. The computer program product as recited in claim 55, wherein said tunnel 
definition database in said server node is configured b\a user entering a local ID, a local 
ID type, said remote ID and a remote ED type through aSGUI. 



1 
2 
3 



57. The computer program product as recited in claiiri\55, wherein said tunnel 
defmition database in said server node is configured by a user entering a local ED, a local 
ID type, said remote ED and a remote ID type through a command line interface. 
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58. The computer program product as recited in claim 47, wherein said group 
dambase in said server node comprises said group name and an ID type of each member 
of saiU group name and an ID of each member of said group name. 

59. TheN:omputer program product as recited in claim 58, wherein configuring said 
group databasejn said server node is accomplished by entering said group name, said ID 
type of each member of said group name and said ID of each member of said group name 
through a GUI. \ 

60. The computer program product as recited in claim 58, wherein configuring said 
group database in said served: node is accomplished by entering said group name, said ID 
type of each member of said grcmp name and said ID of each member of said group name 
through a command line interface. 

6 1 . The computer program product as recited in claim 58, wherein configuring said 
group database in said server node is accomplished by entering said group name, said ID 
type of each member of said group name anaWid ED of each member of said group name 
through configuration files. \ 

62. The computer program product as recited in claim 47, wherein said rules database 
in said server node comprises said group name, a group name ID type and a security 
policy pointer. \ 

63. The computer program product as recited in claim 62, wherein configuring said 
rules database in said server node is accomplished by entering\aid group name, said 
group name ID type and said security policy pointer through a GUl\ 
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1 \64. The computer program product as recited in claim 62, wherein configuring said 

2 nHes database in said server node is accomplished by entering said group name, said 

3 grouta name ED type and said security policy pointer through a command line interface. 

1 65. The\omputer program product as recited in claim 49, wherein activating said 

2 particular tunnelvcomprises the steps of: 

I sending a s^urity policy stored in a policy database of a client node by said client 

4 /I V node to said server node; 

^ sending a securitVpolicy stored in a policy database of said server node by said 

6 server node to said client mde if said security policy stored in said policy database of 

7 said server node matches said s^urity policy stored in said policy database of said client 

8 '5 node; \ 

9 5^ sending a first nonce by said cHent node to said server node; 

10 ^ J sending a second nonce by said server node to said client node; 

1 1 III sending a first ED by said client noob to said server node; and 

12 ^ sending a second ID by said server node to said client node. 

1 66. The computer program product as recited in claim 65, wherein said first and 

2 ^ j second nonce are used to generate key material fok said server and client node, 

3 p respectively. \ 

1 67. The computer program product as recited in claim 65, wherein said policy 

2 database in said client and server node are configured by enteri^vsaid security policy 

3 through a GUI at said client and server node. \ 

1 68. The computer program product as recited in claim 65, wherein^said policy 

2 database in said client and server node are configured by entering said security policy 

3 through a command line interface at said client and server node. \ 
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1 69. The computer program product as recited in claim 65, wherein said first ID is an 

2 ID of said pahicular member of said group name. 

1 I 70. The computer pi^gram product as recited in claim 49, wherein activating said 

/2 y I particular tunnel comprises the steps of: 

3 1 / sending a security policWored in a policy database of a client node by said client 
^ node to said server node; \ 

5 sending a security policy storeaSn a policy database of said server node by said 

6 server node to said client node if said security policy stored in said policy database of 

7 said server node agrees on the same set of proteslion suites at any point in time with said 

8 C3 security policy stored in said policy database of sak client node; 

9 sending a first nonce by said client node to sai^erver node; 

10 ^ ! sending a second nonce by said server node to sam\client node; 

11 H sending a first ID by said client node to said server node; and 

ru \ 

12 sending a second ID by said server node to said client noae. 

u \ 
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